Installing Windows Server 2012 R2 Direct Access and Windows 7 / 8

Posted by Harri Jaakkonen Posted on 03/07/2014 0 Comments on Installing Windows Server 2012 R2 Direct Access and Windows 7 / 8
Posted in 2012 R2, Direct Access

Direct Access is an excellent vpn-solution from Microsoft. With Server 2012 R2 it got even better.

There is alot of pages telling how to install it right, but in real life you have to combine some of them.

So here goes 🙂

Installing Direct Access Server with two nics.

http://jackstromberg.com/2013/12/tutorial-configuring-direct-access-on-server-2012-r2/

I want to point out couple of tips.

If you dont have CRL-list available externally. Use external publishers wildcard or named certificate. You will avoid revocation list problems.
  
Remote Access Server Setup - Network Adapters - External Internal 

For Windows 7 support.

 

Network Location Server.

You must use some other server for nls to support Windows 7. Windows 8 works when NLS is on Direct Access server, but Windows 7 wont !!

 

If you get error when you validate nls. Install this hotfix and reboot.

http://support.microsoft.com/kb/2929930

And a must install for Windows 8 and 8.1 computers.

http://support.microsoft.com/kb/2953212

Windows 7 client certificates required to get Direct Access online:

http://syscomlab.blog.com/2012/09/how-to-get-windows-7-to-work-with-directaccess-server-2012/

And remember that you will also have to get the same computer certificates for Windows 8 machines or otherwise they wont work !!

Add Group Policy for Auto-Enrollment and add the same Computer Security Group as security filtering for it. It’s the easiest way to get computers certificates for both operating systems.

Get IP-HTTPS state: netsh int httpstunnel show int

If you get this error with IP-HTTPS 0x8009030e (SEC_E_NO_CREDENTIALS) install the following hotfix:

http://support.microsoft.com/kb/2758949

If you still have problems with Windows 7 direct access. See this link.

http://technet.microsoft.com/en-us/library/ee844126%28v=ws.10%29.aspx

With these you can get both of them work with a single gpo. You dont need to copy the default and add DTE Addresses and Corporate Resources in it !!

And as a last tip for today. Direct Access Connectivity Assistant is only for diagnostics use with Windows 7. You dont need to install it.

Thanks for Jack Stromberg and SysComLab for the help!

Author: Harri Jaakkonen

Leave a Reply

Your email address will not be published. Required fields are marked *